A group of researchers on Tuesday said 637 million web users are surfing with outdated internet browsers and are, therefore, at greater risk of web-based attacks.
Using data collected from Google web searches and security firm Secunia, the researchers — Stefan Frei of ETH, Zurich; Thomas Dübendorfer of Google; Gunter Ollmann of IBM ISS; and Martin May of ETH, Zurich — analysed the browsers used in a report. The researchers aimed to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
Overall, the authors found that roughly 40 percent of users were utilising insecure versions of web browsers. Among the least upgrade-compliant were users of Internet Explorer (IE), which currently dominates the internet-browser market.
The data was collected in mid-June 2008. Of the users, 78 percent employed IE, 16 percent Firefox, three percent Safari, and 0.8 percent Opera. The percentage of these users who were running the latest version of their browser was 52 percent for IE, 92 percent for Firefox, 70 percent for Safari, and 90 percent for Opera.
The authors noted that it has taken IE7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE7 or still had IE6 installed.
Some of this has to do with how the respective suppliers provide updates. IE7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser information.
The study made comparisons to the food industry, arguing that people understand the need to buy the safest foods, but not to use the safest version of browsers. The study asked whether internet browsers, like food, should display expiration dates. The authors provided an example of a browser that displayed in red in the upper-right-hand corner: "145 days expired, three updates missed."
However, unlike in the food industry, there is no liability for software vendors. And, the authors noted, software vendors are not legally obliged to provide software updates.
Talkback
Some of the blame for the large proportion of surfers using outdated versions of IE has to be laid at Microsoft's door. IE7 is not available to those of us still running Windows 2000.
one reason for this could be that hacked copies of xp which do not get passed M/S security can not update to IE7 it may reflect just how many hacked copies are out there
I would like to see how many of the people that haven't upgraded have either dial-up connections or slow unstable broadband. I think you would find that they go hand in hand. I know my folks never update their system, because all they have is dial-up. I mean if you had dial-up would you upgrade?
I have tried to do that for a number of my customers in the end it was cheaper to do it by either taking the unit back to my base or belive it or not via mobile connection as most of the isp's here wont hold the connection long enough to get the upgrade
I use Firefox, which I prefer to IE7. I was a beta tester and hit many issues with IE7 which has rather put me off installing it. Occasionally I have to use the IE6 rendering engine with Firefox (using IE Tab) either because the page won't display correctly in Firefox, or because it uses ActiveX controls. Presumably this would flag me as an IE6 user. If so, a reluctant one!
Considering IE7 was built on the IE6 engine I don't really see any advantage to upgrading, security is not that much better. They have just copied some of Firefox's features to try to keep pace.
Its always easy to blame the vendor but in this instance, I don't see why it's Microsoft's fault that some users won't update their browsers. the updates are there, users know where to find them and in some cases are notified of them, what more can they do? force users to upgrade?
They don't make any money on browsers, so don't expect a huge marketing push.
In my opinion by making the updates available and notifying you, they've done enough.
Perhaps that's why Bill's leaving...before it all comes grinding to a halt!
'Hey, ya can't blame me, I don't run the place anymore.'
TFD
I have access to stats for over 50 sites covering a range of genres and never seen the less than 25% Firefox users in the last 6months. Infact in most cases it's around 34%. Agree with the figures for percentage of IE7 to IE6 users though. On tech sites there is usually more IE7 users than IE6 and on non-tech sites it is usually IE6 that has it's nose in front but in each case it's pretty even between the two.
I don't think it's microsofts responsibilty to force users to upgrade. They have IE7 as the default browser on their latest OS and prevented the install of IE6 and have included IE7 as a free update or manual download.
The only way I see IE6 users finally being forced to update is either:
1) wide spread attacks on the less secure browser - scaring users into updating.
2) Web developers stop supporting it (most sites require some tweaking to get it to render in IE6 correctly when this stops people will eventually have enough of looking at broken pages and will upgrade)
3) Microsoft stop selling XP and users are eventually forced onto vista or a newer OS which will not support IE6
I personally hate IE6 users as I have to spend so much time tweaking just for them and cannot use some cool new features/tricks that other browsers support because IE doesn't. IE6 users are holding back the web.